Prioritizing vulnerabilities is not a solution

It seems like all I hear about in the vulnerability space right now is prioritization. It is the blockchain of vulnerability management. Yet, prioritizing vulnerabilities does little, if anything at all, to solve the vulnerability management problem. I have spent close to a decade helping organizations with vulnerability management and I am starting to wonder why we talk about this subject so much. Maybe it is because those are the latest and greatest features being added to vulnerability management products and tools. Maybe it is because we are overwhelmed by the quantity of vulnerabilities in our environments. Or, maybe it is something we feel like we can actually accomplish that provides value when we don’t have control over the ultimate solution. Whatever the reason, I am not hearing about much else.

I get it. Prioritization is important. It helps us focus on the greatest risks to our organization which has a greater impact than picking vulnerabilities to remediate at random. However, by focusing too much on vulnerabilities and their priorities we may be ignoring the much large problems within our organizations. I am not saying we shouldn’t prioritize. We just need to recognize it will not solve the underlying problem. Let me try and illustrate what I mean.

When I was young, my grandfather had Leukemia. When someone you know has a terminal illness, you tend to learn a little bit about the disease. Leukemia causes the body, or more specifically the bone marrow, to produce fewer or flawed blood cells. As my grandfather’s normal white blood cell count dropped, he would get sick more often, was prone to infection, and had many other medical issues. Along with the changes in the blood cells and blood cell counts, these other medical issues are some of the symptoms of Leukemia.

Another interesting thing about Leukemia is that it is always an indirect cause of death. The actual cause of death could be pneumonia, infection, or in my grandfather’s case a form of skin cancer he most likely could have overcome had his body been healthy.

The only way I am aware of to potentially cure Leukemia is to kill and replace, or allow the body to regenerate, the bone marrow that is defective. However, just because we know the cure doesn’t mean we ignore the other issues created by the disease. In my grandfather’s case, it was important to prioritize sicknesses and infections when they occurred because those were immediate threats and by prioritizing he was able to live a longer and healthier life. However, resolving these issues did nothing to combat the underlying disease.

This is how I feel about vulnerability prioritization. Should we do it? Absolutely. It may prevent our organization from suffering a breach or reduce the impact of a breach. However, while prioritization helps us focus on the most important symptoms, it does little to help us identify or treat the underlying disease.

So, what should we be focusing on if not prioritization? In my opinion, it is good old-fashioned problem solving. First, we need to identify and be honest with ourselves about our problems. Maybe we have not invested enough money to maintain and support the systems, software, and applications we use in our environment, saddling us with legacy systems and software that cannot be upgraded or patched. Maybe we don’t have sufficient or the right type of resources or technology to patch and configure all of our systems, software, and applications. Or, maybe we just aren’t communicating vulnerability data to the right audience or at the right level of detail to convince them to make a change, or even that change is needed. The answer may be different for every organization, but I find most are experiencing many of the same issues which I plan on discussing in future articles or posts. Stay tuned . . .